From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web12.10154.1600327174070896059 for ; Thu, 17 Sep 2020 00:19:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=Q2t3vB9W; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: ray.ni@intel.com) IronPort-SDR: 5rl/1IqmDRs6oYEeKfw3dNB/JOIBSF9SgReA6mAJgL72/vg7KMqkcBYXdnUHZE27anaq1ggqz6 MzPz6xJrqIJg== X-IronPort-AV: E=McAfee;i="6000,8403,9746"; a="159695783" X-IronPort-AV: E=Sophos;i="5.76,436,1592895600"; d="scan'208,217";a="159695783" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Sep 2020 00:19:32 -0700 IronPort-SDR: 3QT1BIhmfJ4N3JuZGNYXeahTFWRGeLDvbJSnl9rMb4rYakrlATX3wbZGChFMUhb5KdB7H3f/25 07QG/qeFzACA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,436,1592895600"; d="scan'208,217";a="332037793" Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by fmsmga004.fm.intel.com with ESMTP; 17 Sep 2020 00:19:32 -0700 Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 17 Sep 2020 00:19:32 -0700 Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Thu, 17 Sep 2020 00:19:31 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.170) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Thu, 17 Sep 2020 00:19:29 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KQyBwUmo3ASXM4YeTZYTOzltVOVI3fP/Sx5KpsCZAaVkIRErFscfR34Y2i1J4dXwz9belkEqOYGhl0m+JNXGAZEpNxpLCA4SaKsizZzB8d0B+FmOMMAS6w9DZksgjh6sACfj0oJFAXJnEBs0R80jOFsP28/4sndSlFtVEKeMfcoZmTjSCvYsOkjA4uwZjsn8Abq8V22r466BYnqyL/kCKlpYeym3JKdV3xkCwuFcf6wL06wGyZwS56ElPjiGNQGYa+i6dp/B3GCjhFhCMZYfCLx9IGB7x+A9kNVielRbxTozlva7G2x+nZiViTLPTW/7BuE3acVq2Wi5LjmVlYHF+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GlHk2SLWybOB5CNOiPShlctyI4NROYqU5/r4Ov5grFA=; b=QyQ/bmgYLMjV6CB2NsCk57c+Lowx+eRWqGPGuV0XmBzuwSTPiYGi0ykf6CmJfCiWTXBDUeBOMYWBFyItWQdXhUVrQ4yNZa61idGkLjHU7WZ0nGndgF43VQNB9WtUTtIBm6lFQjUHTYeBNndEu0dlUQLgWSgxgZvAwPLvd5EkV24RAcDOqizeyHzttJTJ2sB+OKmL9zSIKYGEY77VFjFZZel5WJhfI1v6ySoR1BSf4qRDrx+ClUMu+jC5WNabQFk5jAtmltI6+ahMC0m1ZOyGD0cQPueUf80wQ9N3I+6ix8QKo8AE1ydg/JcrW3sJFtA1lthR4W4Ej1Y1sMmVSjPuIg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GlHk2SLWybOB5CNOiPShlctyI4NROYqU5/r4Ov5grFA=; b=Q2t3vB9WrSUMWLOqVyJaAWLOxiPazmDJU2yWtlLVmqADCNwo2lJIKQSEGVyZqqGEbEvLf4NPIpPdh4z4DqtDAAZQj0ws0Hd7tclSZFAoLjR4rizj78g42rbVRhL0PyV4Q8nKLTNu/YoTObGTMbXoEMSiLDIgYIczD//eWdznN2k= Received: from BY5PR11MB4007.namprd11.prod.outlook.com (2603:10b6:a03:189::28) by BYAPR11MB2808.namprd11.prod.outlook.com (2603:10b6:a02:c8::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.11; Thu, 17 Sep 2020 07:19:26 +0000 Received: from BY5PR11MB4007.namprd11.prod.outlook.com ([fe80::1533:4053:1c45:3596]) by BY5PR11MB4007.namprd11.prod.outlook.com ([fe80::1533:4053:1c45:3596%6]) with mapi id 15.20.3370.019; Thu, 17 Sep 2020 07:19:25 +0000 From: "Ni, Ray" To: "Wadhawan, Divneil R" , "devel@edk2.groups.io" CC: gaoliming , 'Andrew Fish' , "Justen, Jordan L" , "Kinney, Michael D" Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Thread-Topic: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Thread-Index: AdaMQS9sqEhJ/RVOQYWR22UtRyYHlAAgXCCg Date: Thu, 17 Sep 2020 07:19:25 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fff9dcbc-826d-4881-9d1c-08d85ada023a x-ms-traffictypediagnostic: BYAPR11MB2808: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6108; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: rkVaM7Zkz0KHDM8ieDuOWG4U3dGiL7kzT70sWGYHmuI4HxEUHwLE02AGAXSZNsZ9rSFlYXr1AYf8EvmeIsmrUWtS+94XV/V+yRj+WZxaiULmv6i/arT0CoXXWzYreGKomv/+cTLsZw4ffq3J24oPrfv9WMMApxwgJfu7zLkwrAwM2YWHpXxDcRUrobOZ4n//8V4PHtoTWr7auxSrrVngRGiZYcsTTF7csfThBVkzNvjU6T/oerjVeUbtFWQsjd4l0bv3yw/HxqdQDmrkk5O5uwX2yIlm9lltt+yYomq38gd2+xu7rq8YglBiplogHOdMfLSGHDsroSGdotTR3ChIq1m4eJZ9NXTb33QuLY4eNLMR2bRYjCKohop8mS4te51s x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4007.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(66946007)(76116006)(110136005)(66476007)(64756008)(6506007)(71200400001)(66556008)(66446008)(478600001)(26005)(2906002)(186003)(316002)(53546011)(5660300002)(52536014)(54906003)(7696005)(83380400001)(55016002)(8676002)(86362001)(8936002)(107886003)(4326008)(9686003)(33656002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: N5wlIiTQ5eQPGdtAIw1o0BVcey5uYy4w4TlZ9uAjBVfCCIQ8oEe4VWBPaodQ9AyBTKOGVtXGMYuBR21Ej8eHU0YVdmyy0nQkdPHdbfusKDAToFenPq6vI4BParL5DabLLlzRe4vHl+boxbEs12/kJLQc3pHEGOUibnIUUrstrM++Tl08c6bqrxUxeXHw7nkFGwmwjkb6DR6ZGmkpRoif2iq2HGXhz8NRVtTj0ys7MG/etqIq9nGjM50vnABuBKOFOCsVg65H/D4jedj2/9j4hchIjK/NfULPhPvQOktKQD8Nr7h+TD+DEF+HYzFs9yf/SwAWfn2OcopmO8Tc2NSg/QLIo6AUXA/DhmANnLaZomZmS6CQyQzoabqmnD8F5h5ZkB5hdDDCbYzhRBR5HPDcVnWAn/J7f2HXNFoV/Dwt2gs7EI599VbXd0LmJoC+1eXXXzHU7rJ+MeYblastvEklXugEp5KWzk1Q4B2N67bNYRh7KP/cwyLM55MYH89RntEdHIllPEvuy9bmrhGNvjfbWp3spKJcZYrxdCzlhan6nhRyoNQnfoA0Ju+n95gMbb35tGvfWsBxDWm8EPqg6+f1AkgBG+xgalKlELpH3E63qLVVQCDNWlwZVdGqRQsT7mAqJVL4JotMrNcmsV6GZCpQCQ== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4007.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: fff9dcbc-826d-4881-9d1c-08d85ada023a X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2020 07:19:25.7932 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 77IpVJHTrQFy0owM/ANoEHASMKbghQbRSbXDCaTTVLw/RElRXqmIltruarp0u61jS2rBrvx2iIcZeFYX5yN5Gg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2808 Return-Path: ray.ni@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BY5PR11MB4007CF1DC0D54AA9F4A860528C3E0BY5PR11MB4007namp_" --_000_BY5PR11MB4007CF1DC0D54AA9F4A860528C3E0BY5PR11MB4007namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Divneil, Just want to double confirm: did you test the secure boot and non-secure bo= ot? Thanks, Ray From: Wadhawan, Divneil R Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io Cc: Ni, Ray ; gaoliming ; 'Andr= ew Fish' ; Justen, Jordan L ; K= inney, Michael D ; Wadhawan, Divneil R Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boo= t SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan > --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE =3D FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE DEFINE NETWORK_ISCSI_ENABLE =3D FALSE + DEFINE SECURE_BOOT_ENABLE =3D FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/C= puExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.i= nf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Libr= aryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVE= R, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION= ] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.in= f EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA =3D { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) =3D=3D FALSE #Signature: gEfiVariableGuid =3D # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0= xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid =3D + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0= x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableS= ize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride =3D UI MdeModulePkg/Application/UiAp= p/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 --_000_BY5PR11MB4007CF1DC0D54AA9F4A860528C3E0BY5PR11MB4007namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Divneil,

Just want to double confirm: did you test the secure= boot and non-secure boot?

 

Thanks,

Ray

 

From: Wadhawan, Divneil R <divneil.r.wadha= wan@intel.com>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io
Cc: Ni, Ray <ray.ni@intel.com>; gaoliming <gaoliming@byosof= t.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <j= ordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.= com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Sec= ure Boot

 

SECURE_BOOT_ENABLE feature flag is introduced to ena= ble Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for= enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images

 

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++= ++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++=

2 files changed, 49 insertions(+), 2 deletions(-)

 

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorP= kg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE  &n= bsp;    =3D FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FAL= SE

   DEFINE NETWORK_ISCSI_ENABLE  =    =3D FALSE

+  DEFINE SECURE_BOOT_ENABLE   &= nbsp;   =3D FALSE

 

 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBox= NullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Lib= rary/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/= TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVar= iableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarChe= ckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLi= b/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/= UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHa= ndleLib/UefiFileHandleLib.inf

 

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/= IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/Open= sslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/Platfo= rmSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVari= ableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVar= iableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecP= eiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/Ba= sePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTim= erLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLi= b/DxeEmuLib.inf

 

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.c= ommon.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/= BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/= RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryCl= asses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.= common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobL= ib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdL= ib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwa= reFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwa= reBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwa= reVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVar= iableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysica= lPresence|TRUE

+!endif

 

   gEmulatorPkgTokenSpaceGuid.PcdEmuM= emorySize|L"64!64"

 

@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe= .inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbSe= rvicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/Secur= ityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/Secur= ityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+      NULL|SecurityPkg/Lib= rary/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.in= f

   MdeModulePkg/Universal/MemoryTest/NullM= emoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformS= mbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf

 

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  SecurityPkg/VariableAuthenticated/SecureBoot= ConfigDxe/SecureBootConfigDxe.inf

+!endif

 

   MdeModulePkg/Universal/Variable/Ru= ntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>=

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorP= kg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA =3D {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0= 0, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) =3D=3D FALSE

   #Signature: gEfiVariableGuid =3D

   #  { 0xddcf3616, 0x3275, 0x4164, {= 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x6= 4, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xf= e, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid = =3D

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1= , 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x= 43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x= 92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpa= ceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_H= EADER) =3D 0xBFB8

   # This can speed up the Variable Dispat= ch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride =3D UI M= deModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuAp= p/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/Dri= verSampleDxe.inf

 

+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootCon= figDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

--

2.24.1.windows.2

--_000_BY5PR11MB4007CF1DC0D54AA9F4A860528C3E0BY5PR11MB4007namp_--